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“A Vulnerability is only as bad as the 


Threat exploiting it 
and 


the Impact 
on the organization" 
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Challenges with Vulnerability Management 


Overwhelming number of vulnerabilities 

No Vulnerability to Patch correlation 

CVSS and CVE being too skewed 

Vulnerability Assessment as a feature 

Penetration testing being used Interchangeably with VM 


No Single platform 
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CVSS Confession 


2.1. CVSS Measures Severity, not Risk 


The CVSS Specification Document has been updated to emphasize and clarify the fact that CVSS is designed to measure the severity of a 
vulnerability and should not be used alone to assess risk. 


Concerns have been raised that the CVSS Base Score is being used in situations where a comprehensive assessment of risk is more 
appropriate. The CVSS v3.1 Specification Document now clearly states that the CVSS Base Score represents only the intrinsic 
characteristics of a vulnerability which are constant over time and across user environments, The CVSS Base Score should be 
supplemented with a contextual analysis of the environment, and with attributes that may change over time by leveraging CVSS 
Temporal and Environmental Metrics. More appropriately, a comprehensive risk assessment system should be employed that considers 
more factors than simply the CVSS Base Score, Such systems typically also consider factors outside the scope of CVSS such as exposure 
and threat. 
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Vulnerability Management Lifecycle 


Vulnerability 


Asset Inventory Management 


Do you know the type and amount of 


Do you know what all your assets are and Sade 
open vulnerabilities? 


where they are? 


Threat Risk and 
Prioritization 


Patch 
Management 


Can you prioritize remediation based 
How can you deploy patches to close high- on threat intelligence? 
impact vulnerabilities? 
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WannaCry Timeline and Remediation 


EternalBlue à Fat 
Exploit emediation 


Authenticated Scan / Agent Detection 


THOUSANDS 


New Remote Detection 


Introducing (e) Qualys. 


One solution to Discover, Assess, Prioritize and Patch critical vulnerabilities 
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Asset Discovery 
Detect known and unknown assets 


Workflow to add an unmanaged 
asset as a managed asset 


Asset Inventory 


Hardware, operating system, and 
application inventory for all assets 


Asset Normalization and 
Categorization 


Normalize Inventory data by 
common attributes 


Categorize by vendor, version, type 


Renes; 
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Vulnerability Management 
Detect vulnerabilities by QID 
CVE-to-QID mapping 
CVSSv2 and CVSSv3 base scores 


Security Configuration Assessment 
CIS Benchmarks 
Security-related misconfigurations 
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Prioritization 
Using real-time threat context 
Real-world exploits 
Proof of Concepts 
Exploit categorization 
Exploit severity 


Machine Learning 


Contextual Awareness 
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Remediation 


Automatically correlate 
vulnerabilities to patches 


End-to-end User Interface 
workflows 


Fit-for-purpose visualizations 
and recommendations 


Orchestration for remediation 
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© Qualys. Enterprise 


< Threat Prioritization Report Export to Dashboard 


Asset Tags (5) 


| Finance X | Operations X Engineering X | HR-HQ X | HR-France X 
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Patch Now v 
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Prioritization Engine - 
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Dataset of 120,000+ Vulnerabilities Kz f Oe 

132 Vulnerability Features A KY € 
Live Exploits / POCs J 
Historical Threat Patterns 
Historical Vulnerable Software/Vendor 
Dark Web and Social Media References 
Oualys Security Researchers 
Learns New Patterns and Intelligence Daily 
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"The more time you spend on activities with low impact, 
the less time you have for higher impact activities” 
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Qualys Insights 


| ML Model 


120K + 
Vulnerabilities 


Exploits/Threat 
Feeds 


Dark Web & 
Social Media 


Contextual Awareness 


Your Network is Unique to You 


External Facing Assets 

Network Reachability / Cloud Security Groups 
Zero-Trust Networking / BeyondCorp 
Business / Customer Applications 

Data Sensitivity and Data Access Governance 
Asset System Configuration 

Security Control Validation 
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Correlation 


Qualys Asset Vuln 


Security 
Controls 


re) Priority Score 


Exposure 


VMDR comes with much more 


Unlimited Cloud Agents Asset Categorization 

Unlimited Container Sensors Asset Normalization 

Unlimited Passive Sensors Configuration Assessment 
Certificate Inventory CIS Benchmarks 

Cloud Inventory Continuous Monitoring 

Container Inventory Patch Detection and CVE Correlation 


Mobile Device Inventory 


Available February 2020 
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VMDR 
Concept Demo 


Industry terms or Acronyms 


RBVM - Risk based approach to VM 

TCVM - Threat Centric Vulnerability Prioritization or Management 
VPT - Vulnerability Prioritization Technologies 

TVM - Threat and Vulnerability Management 

Security Posture 

ASM - Attack Surface Management 

Penetration Testing 
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Thank You 


Prateek Bhajanka 
pbhajanka@qualys.com 


